State AGs Secure $515,000 Settlement for Data Breach

MA Attorney General Press Releases

Filed January 28th, 2026

Detected February 7th, 2026

Summary

Massachusetts and Connecticut Attorneys General have secured a $515,000 settlement with Comstar, LLC, an ambulance billing vendor, following a 2022 data breach. The settlement addresses violations of data security regulations and HIPAA, requiring Comstar to pay $415,000 to Massachusetts and implement enhanced security measures.

View original document View source feed page

What changed

Massachusetts and Connecticut Attorneys General announced a $515,000 settlement with Comstar, LLC, an ambulance billing vendor, for failing to adequately safeguard sensitive patient information during a March 2022 data breach. The breach potentially exposed the Social Security numbers, driver's license numbers, financial account information, and medical assessment data of approximately 326,426 Massachusetts residents and 22,829 Connecticut residents. The settlement, filed in Suffolk Superior Court, resolves allegations that Comstar violated Massachusetts data security regulations and HIPAA due to an inadequate Written Information Security Program (WISP).

As part of the settlement, Comstar will pay $415,000 to Massachusetts and an additional amount to Connecticut. The company is also mandated to implement significant security enhancements, including phishing protection software, a vulnerability management program, multi-factor authentication, an intrusion detection/prevention system, and a security incident and event management platform. Comstar must also conduct annual security assessments for three years and report the findings to both state Attorneys General. This action highlights the critical need for vendors handling sensitive patient data to maintain robust security programs and comply with data protection laws.

Source document (simplified)

This page, AG Campbell Secures $515,000 Settlement with Ambulance Billing Vendor for Failing to Safeguard Sensitive Patient Medical Information , is offered by
Office of the Attorney General
show more

Press Release

Press Release AG Campbell Secures $515,000 Settlement with Ambulance Billing Vendor for Failing to Safeguard Sensitive Patient Medical Information

For immediate release: 1/28/2026
- Office of the Attorney General

Media Contact

Kennedy Sims, Deputy Press Secretary

Phone

Call Kennedy Sims, Deputy Press Secretary at (617) 727-2543

Online

Email Kennedy Sims, Deputy Press Secretary at Kennedy.Sims@mass.gov

BOSTON — Massachusetts Attorney General Andrea Joy Campbell today announced that her office has reached a $515,000 settlement with Comstar, LLC, a Rowley-based ambulance billing vendor, for failing to safeguard sensitive patient information during a March 2022 data breach that potentially affected the Social Security numbers, driver’s license numbers, financial account numbers, and medical assessment information of approximately 326,426 Massachusetts residents and 22,829 Connecticut residents. The settlement was reached in partnership with the Connecticut Attorney General’s Office, and Massachusetts shall receive $415,000 from the resolution.

In March 2022, an outside actor accessed, encrypted, and held for ransom certain files and servers maintained by Comstar. In May 2022, Comstar began mailing data breach notices to consumers on behalf of the various entities for which it conducts billing.

The consent judgement, filed in Suffolk Superior Court on January 28, 2026 and which is awaiting court approval, resolves allegations that Comstar violated the Massachusetts Data Security regulations and the Health Insurance Portability and Accountability Act (HIPAA) by failing to maintain an adequate Written Information Security Program (WISP) to prevent the initial attack. When implemented, WISPs help to identify and assess reasonably foreseeable risks and evaluate and improve the effectiveness of existing safeguards, including proper employee training and compliance.

In addition to the $415,000 monetary payment to Massachusetts and a separate payment to Connecticut, Comstar will be required to implement phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software for laptops and desktops on Comstar’s network. In addition, Comstar will also be required to conduct a security assessment once per year for three years and transmit the findings of those reports to the Massachusetts and Connecticut AGOs.

This matter is being handled by Assistant Attorney General Kaitlyn Karpenko and Chief Jared Rinehimer of the AGO’s Privacy and Responsible Technology Division. More information about the Massachusetts Data Security Law can be found here.

Media Contact

Kennedy Sims, Deputy Press Secretary

Phone

Call Kennedy Sims, Deputy Press Secretary at (617) 727-2543

Online

Email Kennedy Sims, Deputy Press Secretary at Kennedy.Sims@mass.gov

Office of the Attorney General

The Attorney General is the chief lawyer and law enforcement officer of the Commonwealth of Massachusetts.

Media Contact

Kennedy Sims, Deputy Press Secretary

Phone

Call Kennedy Sims, Deputy Press Secretary at (617) 727-2543

Online

Email Kennedy Sims, Deputy Press Secretary at Kennedy.Sims@mass.gov

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage? Yes No If you have any suggestions for the website, please let us know. How can we improve the page? Please do not include personal or contact information. You will not get a response The feedback will only be used for improving the website. If you need assistance, please Contact the Attorney General's Office at (617) 727-2200. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response. If you need assistance, please Contact the Attorney General's Office at (617) 727-2200. Please let us know how we can improve this page. Please remove any contact information or personal data from your feedback. You will NOT get a response. If you need assistance, please Contact the Attorney General's Office at (617) 727-2200. Thank you for your website feedback! We will use this information to improve this page.

If you would like to continue helping us improve Mass.gov, join our user panel to test new features for the site.